With great job titles come great responsibilities. C-level employees, senior management, and upper-level members of all organizations work challenging shifts. Sometimes, those challenges lead to habits that could undermine the security of an organization. If you’re in a position of power, it’s your job to reduce risky behavior, such as in the examples that follow, and ensure that your actions lay the groundwork for the organization to succeed.
Not Participating in Training
Managers and upper-level employees lead busy lives. They also lead by example—a function of their responsibilities that applies just as much to awareness training as it does to anything else. When executives skip training, this may send a message to their employees that “security awareness only matters to some members of our organization.” Conversely, when they do participate in training, they positively reinforce the importance of the organization’s security, and how it applies to everyone from the front desk to the CEO.
Managers should also recognize their place in the cybersecurity chain. With higher levels of access than other employees, executives carry the highest level of risk. A small mistake could lead to a major data breach. And given their high profile, they automatically become top targets for attackers. As such, security awareness training is almost more important for upper management than it is for other members of the organization.
Assuming They’re Above Policy
Following policy represents a top mandate for all members of an organization. When an executive circumvents policy for any reason, they undermine the organization’s objectives, while inviting unnecessary risk. They also, once again, fail to lead by example.
While it’s true that a manager’s job is to interpret rules and bend them if absolutely necessary (usually justified as “performance-based judgment calls”), breaking policy that then puts sensitive data at risk, should be avoided at all cost. For example, an upcoming deadline could lead to a C-level downloading a database to a USB flash drive so it can be worked on from home. But what would happen if he or she misplaced that flash drive and it somehow ended up in the wrong hands? Not only would that violation of policy lead to a breach of compliance regulations (which then would lead to fines and potential termination), it could destroy trust between the organization and its partners and clients. No deadline is worth those devastating results.
Allowing Some Employees to Circumvent Policy
Tying into the point above, allowing a department or certain employees to bypass security policies in order to finish a project on time sets a dangerous precedent. You can’t put a genie back in the bottle. Once you’ve allowed employees to break policies, they’ll be more likely to break those policies again and feel less threatened by the consequences of doing so.
It also fragments your organization’s culture. Some employees may view a manager’s lax terms for their co-workers as special treatment. The last thing any manager wants is to appear to be playing favorites. Everyone should be held to the same security standards, including executives.
Assuming Cybersecurity Is Only the CISO’s Responsibility
Every CISO (Chief Information Security Officer) manages the difficult task of overseeing an organization’s entire security operation. And while they likely don’t need another cook in their kitchen, they could certainly use help from other upper-level co-workers. That could include a simple gesture, such as making sure everyone received notices on policy changes or something as complex as determining which metrics to measure or where future budgets should be spent.
Team managers and other executives can also help their CISOs out by staying involved (participating in training!) and taking note of the team’s security habits. If a certain department needs additional training based on current threats, the manager should pass that info along. The worst thing anyone can do is assume that the CISO has everything covered and doesn’t need anyone’s help. Remember, cybersecurity is a team sport!